DarkSword: A Multi-Stage iOS Exploit Kit Used for Espionage and Crypto Theft
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a binding directive ordering all Federal Civilian Executive Branch (FCEB) agencies to apply patches for three actively exploited iOS vulnerabilities by April 3, 2026. The vulnerabilities are part of a six-flaw exploitation chain leveraged by DarkSword, a sophisticated iOS exploit delivery framework uncovered by security researchers.
The DarkSword framework abuses a chained set of vulnerabilities — CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520 — to achieve sandbox escape, privilege escalation, and full remote code execution on targeted iPhones. All six flaws have been patched by Apple in the latest iOS releases, but devices still running iOS 18.4 through 18.7 remain exposed.
Three Malware Families Deployed Through DarkSword
Security researchers observed three distinct malware families being deployed on victims' devices via the DarkSword delivery framework. The first, GhostBlade, is an aggressive JavaScript-based information stealer. The second, GhostKnife, operates as a backdoor capable of exfiltrating large volumes of data from compromised devices. The third, GhostSaber, is a JavaScript-based tool that executes code and steals victim data in parallel.
A notable characteristic of DarkSword is its anti-forensic behavior: the framework automatically wipes temporary files and self-terminates after completing its data theft operations, suggesting it was deliberately engineered for short-term covert surveillance missions designed to evade detection by security tools and forensic analysts.
Related: CISA Warns: Critical SharePoint Flaw Under Active Attack
Related: Quest KACE CVE-2025-32975 Exploited in Education Attacks
Threat Actors and Targeted Infrastructure
Researchers linked DarkSword activity to multiple distinct threat groups. UNC6748 has been identified as a customer of PARS Defense, a Turkish commercial surveillance vendor. A second group, UNC6353, is assessed to be a suspected Russian espionage actor. UNC6353 was observed deploying both the DarkSword and Coruna iOS exploit kits in watering-hole attacks targeting iPhone users who visited compromised Ukrainian websites belonging to e-commerce businesses, industrial equipment providers, and local services organizations.
Mobile security company Lookout, which discovered DarkSword while investigating infrastructure used in Coruna attacks, assessed that DarkSword is being used in cyber-espionage operations aligned with Russian intelligence collection requirements, as well as by Russian-linked threat actors with financial motivations.
CISA's Binding Directive and Scope
On the same day as the public disclosure, CISA formally added three of the six DarkSword vulnerabilities — CVE-2025-31277, CVE-2025-43510, and CVE-2025-43520 — to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies are required under Binding Operational Directive (BOD) 22-01 to remediate these flaws within two weeks.
CISA's advisory instructs agencies to apply vendor-provided mitigations, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the affected product if mitigations are unavailable. The agency emphasized that these vulnerability types represent frequent attack vectors exploited by malicious cyber actors and pose significant risks to the federal enterprise. While the mandate is binding only for federal agencies, CISA strongly urged private sector organizations to prioritize patching these vulnerabilities as soon as possible.
Mitigation Recommendations
All iPhone users running iOS 18.4 through 18.7 are urged to update to the latest available iOS version immediately. Organizations managing enterprise mobile device fleets should enforce mandatory update policies and audit device compliance. Security teams should also monitor for suspicious outbound connections, unusual JavaScript execution patterns on mobile endpoints, and indicators of compromise associated with the GhostBlade, GhostKnife, and GhostSaber malware families.
